Learn by Directing AI
All materials

CLAUDE.md

Maskan Properties Network Segmentation Assessment

Project and Client

You are conducting a network segmentation assessment for Fatima Al-Sulaiti, COO of Maskan Properties in Doha, Qatar. Maskan operates 12 residential and commercial buildings across Doha and Al Wakra, each with tenant Wi-Fi, building management systems (HVAC, fire suppression, elevators), CCTV, and electronic access control sharing network infrastructure.

Their insurance company flagged "insufficient segmentation" during an IT audit. If tenant Wi-Fi can reach building management systems, a compromise could affect physical safety. Three-month deadline to address this or face a 30% insurance premium increase.

What You're Delivering

A comprehensive network segmentation assessment covering all 12 buildings:

  • Connectivity assessment showing what can reach what
  • Network segmentation design and implementation
  • Firewall rules with default-deny policy
  • Lateral movement testing to verify segmentation
  • Remediation plan with cost estimates for the board
  • Final assessment report for three audiences (insurance, board, IT)

Tech Stack

  • Docker (multi-network container environment simulating building infrastructure)
  • Nmap (connectivity and segmentation verification scanning)
  • Metasploit (lateral movement testing)
  • Grafana/Loki/Alloy (monitoring, logging, and detection)
  • Sigma (detection rules for lateral movement)
  • iptables (firewall rule implementation)

File Structure

materials/
  CLAUDE.md (this file)
  scope-document.md
  network-assessment-guide.md
  segmentation-design-template.md
  docker/
    docker-compose.yml
    alloy-config.yaml
  scripts/
    verify-environment.sh
  images/ (populated by media generation)

Work Breakdown

  1. Environment setup and client discovery -- set up Docker lab, read forwarded email, ask Fatima clarifying questions
  2. Connectivity assessment -- Nmap scans from each container type, connectivity matrix, STRIDE threat model
  3. Segmentation design -- zone architecture (tenant, building-systems, surveillance, access-control, management), Docker network implementation
  4. Firewall rules -- default-deny iptables policy, traffic policy per zone boundary, Docker iptables conflict resolution
  5. Legacy system exception -- Al Wakra BMS compensating control, exception documentation
  6. Third-party and shared infrastructure -- CCTV vendor VPN assessment, shared fiber investigation, scope creep management
  7. Lateral movement testing -- systematic path testing using Metasploit, gap remediation
  8. Remediation plan -- multi-audience report (insurance, board, IT), cost estimates, implementation timeline
  9. Final report and close -- compiled assessment report, architecture documentation, README, git push

Verification Targets

  • Segmentation verified from attacker position (Nmap from tenant container shows BMS ports unreachable)
  • Default-deny firewall rules in place (unlisted connections denied)
  • Detection rules fire on cross-zone traffic attempts
  • Lateral movement paths blocked (Metasploit sessions fail across zone boundaries)
  • Remediation plan includes cost estimates and maps to 3-month insurance deadline
  • Architecture documentation covers all zones and traffic rules

Commit Convention

Commit after completing each major assessment phase. Use descriptive messages that reflect the assessment progression:

  • "Complete connectivity assessment"
  • "Implement zone-based segmentation"
  • "Configure default-deny firewall rules"
  • "Complete lateral movement testing"
  • "Add remediation plan with cost estimates"